Re: ICMP and ipfw

From: Michael Sierchio <kudzu_at_tenebras.com>
Date: Sun, 13 Mar 2022 16:36:41 UTC
On Sun, Mar 13, 2022 at 6:06 AM LuMiWa <lumiwa@dismail.de> wrote:

> Hi!
>
> I changed some settings in ipfw.rules:
> # ICMP
> $cmd 02300 deny log icmp from any to any icmptypes 8
> $cmd 02350 deny log icmp from any to any icmptypes 0
> $cmd 02400 allow ipv6-icmp from any to any icmp6types 128,129
> $cmd 02500 allow icmp from any to any icmptypes 3,4,11
> $cmd 02600 allow ipv6-icmp from any to any icmp6types 3
>
> Than I tested on www.grc.com and I failed on Ping reply:
> Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP
> Echo) requests, making it visible on the Internet. Most personal
> firewalls can be configured to block, drop, and ignore such ping
> requests in order to better hide systems from hackers. This is highly
> recommended since "Ping" is among the oldest and most common methods
> used to locate systems prior to further exploitation.
>
> I tried also icmptypes 8,0 and 0,0 but the same result.
>

Are you sure you don't want to be able ping your ISP's next hop router when
diagnosing a problem?

I don't at all agree with the advice that you should block ICMP types 0,8 –
they are useful and not harmful if you take appropriate measures (rate
limit replies, for example, so you aren't used in a reflection attack).
PING isn't the first choice for reconnaissance in any case. This is in the
category of conventional but misguided "wisdom", like updating passwords
based on the calendar.   Does your software really respond appropriately to
Source Quench messages (icmptype 4)?

Better to have a blanket deny after explicit allows, like

# permit some ICMP

$cmd 02300 allow icmp from any to any icmptypes 0,3,4,11   in  recv
$external_if

$cmd 02350 allow icmp from any to any icmptypes 0,3,4,8,11 out xmit
$external_if

$cmd 02400 allow ipv6-icmp from any to any icmp6types 133,134,135,136,137

# deny ICMP

$cmd 02505 deny log icmp from any to any in recv $external_if



Make sure these are set

net.inet.icmp.icmplim_output=1

net.inet.icmp.icmplim= (some reasonable and small number)

net.inet6.icmp6.errppslimit (likewise)